Analysis
-
max time kernel
146s -
max time network
134s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
22-07-2021 11:25
Static task
static1
Behavioral task
behavioral1
Sample
New Order.docx
Resource
win7v20210410
Behavioral task
behavioral2
Sample
New Order.docx
Resource
win10v20210408
General
-
Target
New Order.docx
-
Size
10KB
-
MD5
37440402e2f3bed12f391338cbd4fc12
-
SHA1
f28f9be236b1593f2f7da3ceb4b0478c96c7b0d0
-
SHA256
b5bcdc51fdaabc11a62e8401493b5fa24b6f4a350d597cc58a04cfc0dedefbfc
-
SHA512
468e045dcec4558ed25e25f0dae0fb99be55e300994ffc698e2cb6dfc0812c89d3a13a69e0fe0166d4f0a50891bcb1f65526122e8ae52b67056c937e25c7fa5a
Malware Config
Extracted
formbook
4.1
http://www.bookkeeping32.com/p6ai/
ocfoundation.info
fullhouse01.com
a-great-lexus-rx.fyi
googlepayperclick.com
coachmyragolden.com
luxclothing.club
medicationbuddy.com
miraclepawsfoundation.com
datingforcez.online
wasteharvester.com
solslides.com
hotel-ritterhof.com
tianjinsf.com
receiveyourcashnow.com
the-vma.com
godrejroyalewoodsbangalore.com
erickrokanphotography.com
vasinvestments.com
janlago.com
2nocent.com
grasipy.com
generic5menviav.com
siokan.com
trump-single.com
betweentheadvents.com
huellitasdecleo.com
callaido.com
jfl-info.net
associationuniversity.com
fashionclogstops.com
tlscert.watch
maxenvio4.online
rugpat.com
aerialconsult.com
rwtcjd.com
thevirtualeventz.com
kuyili.net
tiendapatina.com
samcartt.com
tacotourtexas.com
kindermap.com
kofc2458.com
learnavstandards.com
independentthirdparty.com
vanessabruno.club
urbanaffirmation-active.com
uniquelykay.com
micondolencias.com
thehaircandi.com
dfshelf.com
beautifullivesmatter.info
tea.coffee
pickleballpainmanagement.com
kci-sh.com
vzhizuo.com
edubox24.store
emridoc.com
fashpark.com
irishebikes.com
natalyashelk.online
kpassan.com
eranratzon.com
femueweczedre.com
bastianbrown.com
Signatures
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2020-79-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral1/memory/2020-80-0x000000000041EB10-mapping.dmp formbook behavioral1/memory/1592-92-0x0000000000080000-0x00000000000AE000-memory.dmp formbook -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 13 596 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
vbc.exevbc.exepid process 928 vbc.exe 2020 vbc.exe -
Abuses OpenXML format to download file from external location 2 IoCs
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key opened \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Office\Common\Offline\Files\https://hyp.ae/pGGoM WINWORD.EXE -
Loads dropped DLL 4 IoCs
Processes:
EQNEDT32.EXEpid process 596 EQNEDT32.EXE 596 EQNEDT32.EXE 596 EQNEDT32.EXE 596 EQNEDT32.EXE -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 4 IoCs
Processes:
vbc.exevbc.exeexplorer.exedescription pid process target process PID 928 set thread context of 2020 928 vbc.exe vbc.exe PID 2020 set thread context of 1292 2020 vbc.exe Explorer.EXE PID 2020 set thread context of 1292 2020 vbc.exe Explorer.EXE PID 1592 set thread context of 1292 1592 explorer.exe Explorer.EXE -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1116 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
vbc.exeexplorer.exepid process 2020 vbc.exe 2020 vbc.exe 2020 vbc.exe 1592 explorer.exe 1592 explorer.exe 1592 explorer.exe 1592 explorer.exe 1592 explorer.exe 1592 explorer.exe 1592 explorer.exe 1592 explorer.exe 1592 explorer.exe 1592 explorer.exe 1592 explorer.exe 1592 explorer.exe 1592 explorer.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
vbc.exeexplorer.exepid process 2020 vbc.exe 2020 vbc.exe 2020 vbc.exe 2020 vbc.exe 1592 explorer.exe 1592 explorer.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
vbc.exeexplorer.exedescription pid process Token: SeDebugPrivilege 2020 vbc.exe Token: SeDebugPrivilege 1592 explorer.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 1116 WINWORD.EXE 1116 WINWORD.EXE -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
EQNEDT32.EXEWINWORD.EXEvbc.exeExplorer.EXEexplorer.exedescription pid process target process PID 596 wrote to memory of 928 596 EQNEDT32.EXE vbc.exe PID 596 wrote to memory of 928 596 EQNEDT32.EXE vbc.exe PID 596 wrote to memory of 928 596 EQNEDT32.EXE vbc.exe PID 596 wrote to memory of 928 596 EQNEDT32.EXE vbc.exe PID 1116 wrote to memory of 1520 1116 WINWORD.EXE splwow64.exe PID 1116 wrote to memory of 1520 1116 WINWORD.EXE splwow64.exe PID 1116 wrote to memory of 1520 1116 WINWORD.EXE splwow64.exe PID 1116 wrote to memory of 1520 1116 WINWORD.EXE splwow64.exe PID 928 wrote to memory of 2020 928 vbc.exe vbc.exe PID 928 wrote to memory of 2020 928 vbc.exe vbc.exe PID 928 wrote to memory of 2020 928 vbc.exe vbc.exe PID 928 wrote to memory of 2020 928 vbc.exe vbc.exe PID 928 wrote to memory of 2020 928 vbc.exe vbc.exe PID 928 wrote to memory of 2020 928 vbc.exe vbc.exe PID 928 wrote to memory of 2020 928 vbc.exe vbc.exe PID 1292 wrote to memory of 1592 1292 Explorer.EXE explorer.exe PID 1292 wrote to memory of 1592 1292 Explorer.EXE explorer.exe PID 1292 wrote to memory of 1592 1292 Explorer.EXE explorer.exe PID 1292 wrote to memory of 1592 1292 Explorer.EXE explorer.exe PID 1592 wrote to memory of 908 1592 explorer.exe cmd.exe PID 1592 wrote to memory of 908 1592 explorer.exe cmd.exe PID 1592 wrote to memory of 908 1592 explorer.exe cmd.exe PID 1592 wrote to memory of 908 1592 explorer.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\New Order.docx"2⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Public\vbc.exe"3⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\vbc.exeMD5
2dfc510fcb8520b77eb106532c34d50d
SHA1dad10972c6b92fd4d8f68b66aa028b3b081a2e2f
SHA25627040911c356e4c61ddb89d1eb6d828e6713aafdb0aa4de56b9a6d3fac54274a
SHA51200ec515a7295131378fc321814dfebcc74d4957437ed11bdab359704fd3f833f5d90cdd5eb1b0b59c078ec765569dd61d99a372851ff46d085e5d96b279936a1
-
C:\Users\Public\vbc.exeMD5
2dfc510fcb8520b77eb106532c34d50d
SHA1dad10972c6b92fd4d8f68b66aa028b3b081a2e2f
SHA25627040911c356e4c61ddb89d1eb6d828e6713aafdb0aa4de56b9a6d3fac54274a
SHA51200ec515a7295131378fc321814dfebcc74d4957437ed11bdab359704fd3f833f5d90cdd5eb1b0b59c078ec765569dd61d99a372851ff46d085e5d96b279936a1
-
C:\Users\Public\vbc.exeMD5
2dfc510fcb8520b77eb106532c34d50d
SHA1dad10972c6b92fd4d8f68b66aa028b3b081a2e2f
SHA25627040911c356e4c61ddb89d1eb6d828e6713aafdb0aa4de56b9a6d3fac54274a
SHA51200ec515a7295131378fc321814dfebcc74d4957437ed11bdab359704fd3f833f5d90cdd5eb1b0b59c078ec765569dd61d99a372851ff46d085e5d96b279936a1
-
\Users\Public\vbc.exeMD5
2dfc510fcb8520b77eb106532c34d50d
SHA1dad10972c6b92fd4d8f68b66aa028b3b081a2e2f
SHA25627040911c356e4c61ddb89d1eb6d828e6713aafdb0aa4de56b9a6d3fac54274a
SHA51200ec515a7295131378fc321814dfebcc74d4957437ed11bdab359704fd3f833f5d90cdd5eb1b0b59c078ec765569dd61d99a372851ff46d085e5d96b279936a1
-
\Users\Public\vbc.exeMD5
2dfc510fcb8520b77eb106532c34d50d
SHA1dad10972c6b92fd4d8f68b66aa028b3b081a2e2f
SHA25627040911c356e4c61ddb89d1eb6d828e6713aafdb0aa4de56b9a6d3fac54274a
SHA51200ec515a7295131378fc321814dfebcc74d4957437ed11bdab359704fd3f833f5d90cdd5eb1b0b59c078ec765569dd61d99a372851ff46d085e5d96b279936a1
-
\Users\Public\vbc.exeMD5
2dfc510fcb8520b77eb106532c34d50d
SHA1dad10972c6b92fd4d8f68b66aa028b3b081a2e2f
SHA25627040911c356e4c61ddb89d1eb6d828e6713aafdb0aa4de56b9a6d3fac54274a
SHA51200ec515a7295131378fc321814dfebcc74d4957437ed11bdab359704fd3f833f5d90cdd5eb1b0b59c078ec765569dd61d99a372851ff46d085e5d96b279936a1
-
\Users\Public\vbc.exeMD5
2dfc510fcb8520b77eb106532c34d50d
SHA1dad10972c6b92fd4d8f68b66aa028b3b081a2e2f
SHA25627040911c356e4c61ddb89d1eb6d828e6713aafdb0aa4de56b9a6d3fac54274a
SHA51200ec515a7295131378fc321814dfebcc74d4957437ed11bdab359704fd3f833f5d90cdd5eb1b0b59c078ec765569dd61d99a372851ff46d085e5d96b279936a1
-
memory/908-90-0x0000000000000000-mapping.dmp
-
memory/928-77-0x0000000007F80000-0x0000000007FFA000-memory.dmpFilesize
488KB
-
memory/928-75-0x0000000004D40000-0x0000000004D41000-memory.dmpFilesize
4KB
-
memory/928-68-0x0000000000000000-mapping.dmp
-
memory/928-71-0x0000000001350000-0x0000000001351000-memory.dmpFilesize
4KB
-
memory/928-78-0x0000000000AB0000-0x0000000000AE5000-memory.dmpFilesize
212KB
-
memory/928-76-0x0000000000390000-0x00000000003AB000-memory.dmpFilesize
108KB
-
memory/1116-60-0x0000000070881000-0x0000000070883000-memory.dmpFilesize
8KB
-
memory/1116-59-0x0000000072E01000-0x0000000072E04000-memory.dmpFilesize
12KB
-
memory/1116-62-0x00000000767B1000-0x00000000767B3000-memory.dmpFilesize
8KB
-
memory/1116-61-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1292-84-0x0000000006CA0000-0x0000000006DC9000-memory.dmpFilesize
1.2MB
-
memory/1292-86-0x0000000007300000-0x0000000007452000-memory.dmpFilesize
1.3MB
-
memory/1520-74-0x000007FEFC301000-0x000007FEFC303000-memory.dmpFilesize
8KB
-
memory/1520-73-0x0000000000000000-mapping.dmp
-
memory/1592-89-0x000000006B121000-0x000000006B123000-memory.dmpFilesize
8KB
-
memory/1592-87-0x0000000000000000-mapping.dmp
-
memory/1592-92-0x0000000000080000-0x00000000000AE000-memory.dmpFilesize
184KB
-
memory/1592-91-0x0000000000A40000-0x0000000000CC1000-memory.dmpFilesize
2.5MB
-
memory/1592-93-0x0000000002470000-0x0000000002773000-memory.dmpFilesize
3.0MB
-
memory/1592-94-0x00000000022E0000-0x0000000002373000-memory.dmpFilesize
588KB
-
memory/2020-83-0x0000000000190000-0x00000000001A4000-memory.dmpFilesize
80KB
-
memory/2020-82-0x0000000000980000-0x0000000000C83000-memory.dmpFilesize
3.0MB
-
memory/2020-85-0x00000000001E0000-0x00000000001F4000-memory.dmpFilesize
80KB
-
memory/2020-80-0x000000000041EB10-mapping.dmp
-
memory/2020-79-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB